• NAT is working for my web server with src-nat rule #0 in the config and dst-nat rule #2

• Hairpin NAT is also working for devices on the LAN to access the web server, with src-nat rule #1 and dst-nat rule #2

• UPnP is working fine from the WAN with src-nat rule #0 and dynamic dst-nat rule #3

• UPnP does not work for devices on the LAN to access the server, because the dynamic dst-nat rule requires in-interface=ether1 (ether1 is my WAN port). For traffic coming from LAN clients, the in-interface is the bridge, not ether1.

• Can I tell the UPnP service to generate dynamic rules without in-interface=ether1?

• If not, what else can I do to make UPnP and Hairpin NAT to work together?

> ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: src nat
      chain=srcnat action=src-nat to-addresses=<my wan ip>
      src-address=192.168.1.0/24 out-interface-list=WAN log=no log-prefix="" 
      ipsec-policy=out,none 

 1    ;;; defconf: hairpin nat
      chain=srcnat action=src-nat to-addresses=<my wan ip> 
      src-address=192.168.1.0/24 dst-address=192.168.1.0/24 
      out-interface-list=LAN log=no log-prefix="" 

 2    ;;; Web server
      chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp 
      dst-address-list=WanIP dst-port=80 log=no log-prefix="" 

 3  D ;;; upnp 192.168.1.3: TCP
      chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=53052 
      protocol=tcp dst-address=<my wan ip> in-interface=ether1 dst-port=53052 

1. Say a LAN client at 192.168.1.100 sends a TCP SYN packet to my web server at <WAN_IP>:80
2. The packet enters the router at the bridge interface.
3. The router matches the packet with dst-nat rule #2 in my config. It performs the dst-nat action, rewriting the to-address to 192.168.1.2, which is the LAN IP of my web server.
4. The router then matches the re-written packet with src-nat rule #1. It performs the src-nat action, rewriting the from-address to <WAN_IP> (configured as "to-address" in the src-nat rule)
5. The packet is then sent to the web server, which sees from-address=<WAN_IP>, and to-address=<192.168.1.2>.
6. The web server responds with a TCP SYN-ACK packet, with from-address=<192.168.1.2> and to-address=<WAN_IP>.
7. The SYN-ACK packet is sent to the router. The router determines that the packet is part of a previous natted connection and undoes both the src-nat and dst-nat.
8. The connection is established. Subsequent IP packets are processed at the router as part of the natted connection.

1. Say a LAN client at 192.168.1.100 sends a TCP SYN packet to the UPnP server at <WAN_IP>:53052
2. The packet enters the router at the bridge interface.
3. The router does not find a matching dst-nat rule. The rule #3 is not matched because it requires in-interface=ether1 (the WAN interface), but this packet has in-interface=bridge.
4. The router eventually forwards the request to the WAN interface with is bound to <WAN_IP>. However, there is no service listening at port 53052 on the router, so it sends back a TCP RST to the client.

Maybe change action=masquerade and set dst-address to be the one of the server on the hairpin nat rule as well as on the defconf rule unless there is a reason to be src-nat:

Code: Select all

/ip firewall nat
set 0 action=masquerade src-address=""
set 1 action=masquerade dst-address=192.168.1.2

Is my understanding above correct?

Unfortunately, yes. And the only workaround I see is to make the addresses of the UPnP enabled devices static and add your dst-nat rules before the dynamic ones because, as you're probably familiar with, rules are processed in ascending order relative to their place in the list